Full packet capture, missing something obvious.

Jesse Bowling jesseb at uga.edu
Thu Dec 22 21:27:09 EST 2011 

On 12/22/11 9:03 PM, Jesse Bowling wrote:
> After some off list discussion with Scott, he explained to me that he
> actually wants to have argus generate both a flow file as well as a pcap
> file of the data as it's captured...
> 
> I'm not aware of a way to get argus to do this; anyone else?
> 

I thought of a hackish way to go about it...YMMV:

mkfifo tcpdump.fifo
mkfifo argus.fifo
tcpdump -r tcpdump.fifo -w /pcaps/%Y_%m_%d_%H%M_test.pcap -G 300 &
argus -r argus.fifo -w - | rasplit -r - -M time 5m -w
/argus/%Y_%m_%d_%H%M_test.argus &
tcpdump -i eth0 -s 2048 -w - | tee argus.fifo > tcpdump.fifo &

I was worried that file rotation might break the pipe, but it appears
that it does not on my RHEL6 box...

Cheers,

Jesse

> Cheers,
> 
> Jesse
> 
> On 12/22/11 7:51 PM, Jesse Bowling wrote:
>> On 12/22/11 5:34 PM, Scott McIntyre wrote:
>>> Hi,
>>>
>>> I've enabled, I think, full packet capture in Argus, however, the
>>> packet.out file, whilst created, remains empty.
>>>
>>> Short of uncommenting
>>> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
>>
>> I believe this file is only used in conjunction with the
>> ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
>>
>> ARGUS_CAPTURE_DATA_LEN=512   #set to number of bytes you want to capture
>>
>> This will capture the first 512 bytes of the content/user data in a
>> stream and keep it in with the rest of the flow data...You can then view
>> it with ra, for instance:
>>
>> # ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
>> +suser:512 +duser:512 - tcp and port 80
>>
>> This will show the first 512 bytes of the data from the source and
>> destination...Be warned that capturing user data adds quite a bit of
>> processing, which may or may not make a difference in packet drops
>> depending on your setup.
>>
>> Hope that helps,
>>
>> Jesse
>>
>>> (this is with the -latest client and server)
>>>
>>> My thanks,
>>>
>>> Scott
>>>
>>
> 

-- 
Jesse Bowling
Security Architect::Office of Information Security::UGA
jesseb at uga dot edu::706-542-2127

More information about the argus mailing list